What can Zoom’s security response teach us about security in your law firm?

This article was originally part of a Lunch & Learn presentation hosted by Vazequez de Lara Law Group and has been adapted for this site. The title of the presentation was originally, ‘Security for the Virtual Law Firm’, but has been modified to better reflect the content.

Today we’re going to talk about what we can learn Zoom’s security response. Zoom will be our case study for what taking responsibility for security in your law firm looks like. First, we’re going to talk about where they’ve fallen short. Second, we’ll review what they’ve done right.  Third and last, we’re going to talk about how that applies to security in your firm in today’s context.

Why listen to me?

But, before all of that, allow me to introduce myself.  My name is Luke Kumanchik.  I am the owner of Honeycrisp.  We provide Sweet Solutions for Apple-lovin’ Lawyers.  Before I started Honeycrisp to serve a niche market, I worked for Dade County Public Schools, various commercial enterprises, and large entities like Jackson Health and UM Medical.  All told, I’ve been in IT for 21 years.

Paradigm Shift

And, the reason I bring up all of that is because over all that time, across all of those industries, I have never witnessed what we’re seeing today:  A paradigm shift in how companies approach and communicate the safety and security of how they do business

Clients are rewarding security and the safety it brings

Now is the time to evaluate your risks and communicate the steps you’re taking to mitigate them.  Clients will reward you.

Contact us

Zoom

That brings us to Zoom. Perhaps, the most covered company during the pandemic. Zoom’s usage and user base has exploded as result of social distancing. That large increase has brought scrutiny about the app’s security and whether we should rely on Zoom to conduct business.

Zoom Failures

The first thing we need to say about Zoom is that from a Security point of view, it’s merely problematic, not a disaster.  What was a disaster, however, was their claim of end-to-end encryption.

Why?

Zoom claimed that they offered end-to-end encryption.  When, in fact, Zoom does not.

End-to-end Encryption

End-to-end encryption means that no one sees the information except for the sender and the recipient.  What Zoom offers is transport encryption.  

Transport encryption means that you send the information to Zoom’s servers securely, then Zoom decides what to do with it, and, finally, passes it to the recipient.  

This opens all communications to potential review.  Zoom employees or third parties can all, theoretically, listen, watch, or use AI facial and voice recognition to scrape your meeting for various purposes, like additional revenue.

Transport encryption is standard practice

Strictly speaking, this is the way that many video calls work – Google, Microsoft, and Facebook all use transport encryption and can do the same thing. These companies, however, never claimed to have end-to-end encryption and don’t use Chinese servers the way Zoom did.

What is an ‘end’, anyway?

To make matters worse, Zoom stood by this claim of end-to-end encryption, blaming it on a misunderstanding of what it determined to be an “end”.   

An argument any lawyer can appreciate.

Needless to say, the security community skewered them for this and the media pounced on it.

Zoom successes

But, as far as Zoom’s list of failures go, that’s where the list ends and the list of what Zoom’s got right begins.

Zoom CEO responds

Zoom’s CEO responded to the criticism and the concerns quickly, acknowledging mistakes in design from the ground up and pledging to make drastic changes over the next 90 days.

And so Zoom has.

Tackled big problems

Zoom has done big things:  They’ve paid the security community to find exploits and have either begun or applied a fix.  They’re revamping their encryption algorithm  (They have not announced end-to-end encryption).

Handled little problems

Zoom has done little things:  Zoom has enabled Meeting Passwords and Waiting Rooms by default.  They’ve hidden the all-important Meeting ID during a call.  They’ve made the Security features prominent in the controls.

As a result, Zoom is now considered fine for every day use.

A right and proper response

Through it all, Zoom listened and engaged the security community while making their clients happy.  They’ve done interviews, blog posts and videos.  When they make a change, they make you aware of it.

Applying Zoom’s response strategy to your firm

So, how does this apply to security in your law firm?

I said earlier that there’s a paradigm shift in how companies approach and communicate the safety and security of how they do business.  So, what exactly is that shift, how can you apply it to your law firm, and, ultimately, use it to engage in the conversation with your clients?

Step 1: Mind your product

The first may not be obvious.  Zoom already had a great product.  What Zoom didn’t do was allow Security to ruin it. 

Frequently, security does more harm than good to the user experience. Just think of the last time you tried to communicate with your bank. Was it easy and pleasant to email back and forth? 

Users use Zoom because its fast, easy, and the quality is great.  If Zoom had put security before the user’s experience, would it be as successful? 

On the road to safety, don’t lose sight of what makes your firm great.

Step 2: Little changes. Big impact.

The second thing to take note of is that the majority of the changes Zoom has made have always existed.  Meeting Passwords, Waiting Rooms, and the options found in the Security button aren’t new.  They were there before the pandemic.  No one knew about them and no one used them. 

How many security features do you and your clients not use?  Multi-factor authentication, password managers, mobile device management.

Take stock of what you already have and use it.

Step 3: Your identity includes security

The third is that Zoom took the time to listen, implement, and communicate security changes. 

They developed a 90-day plan based on feedback, the CEO gave weekly, public security briefings, and they bombarded the world with documentation, press, and video on how to use Zoom safely. 

That’s buy-in from the entire company.  Security wasn’t the job of just the IT team, nor was it something for Marketing to solve. 

How do you talk about security in your firm?  Do you ever talk about it with your clients? 

Set aside time to coordinate what security features matter to your clients, implement and promote them.

Zoom’s security response is a template for law firms

Today we talked about Zoom.  Where they’ve mis-stepped and how they’ve course-corrected.  We did so, ultimately, to discover what their story can tell us about how to incorporate security in your law firm.

Zoom’s story teaches us that security is on everyone’s mind and elucidates a path forward for making security part of your firm. 

Clients want to know they’re safe.  You can do this by re-assuring clients that what makes you great is here to stay, by taking immediate steps to improve, and communicating the message as part of your identity.

Would you like to continue the conversation?

If you’d like to take action to turn security from a weakness into a strength, from an afterthought into a valuable part of your firm’s identity, reach out to us. We’ve helped many firms to change the way they approach technology. We can help you, too.


Luke Kumanchik

Entrepreneur, programmer, backyard farmer & Dungeon Master Extraordinaire.